Data-Driven Risk Management
By Ron Mehring, CISO, Texas Health Resources
When I was asked to write an article for CSO Outlook, I pondered what has been the prominent function or activity that has made the biggest difference in the way I lead information security. By far, it has to be the employment of robust risk management practices that are prioritized and driven by data analytics. The title of this article could very well be, How I learned to stop worrying and love the data.” Before I get started, I would like to mention three books that I believe should be read by anyone really wanting to become data driven within their information security risk management programs.
Moving towards becoming data driven is critical to managing risk in highly complex organizations. As a healthcare security professional I see increasing complexity within the business of healthcare and the underlying architectures. I would even go out on a limb and state that all industries are having the same challenges. This increasing complexity is amplifying the importance of driving maturity and discipline into organizational information security risk management activities.
This exponential growth in complexity along with the increase of high-impact cyber security attacks has created an environment of uncertainty. This uncertainty is causing corporate boards and executive leaders to ask very tough questions, such as:
• What are our most significant technology risks?
• How much aggregate risk exposure do we have?
• What is the probability we will be attacked?
• What is our loss potential?
• What security investments would reduce risk exposure?
• How much risk should I transfer to insurance?
In most complex organizations and architectures these questions can be very difficult to answer. I will bet that many of you who are reading this article could easily add many more questions to this list. So how do we begin preparing our security team to answer these difficult questions and reduce uncertainty?
The Risk Management Team.
One of the first steps in moving toward becoming data driven is assessing your internal talent. It is highly probable that your team membersicle could easily add many more quessecurity workflow, process management, policy and other associated IT security compliance activities. Moving towards becoming data driven will be a very significant transition for them. These team members will more than likely not only need training, but also assistance in looking at security risk management functions through a much different lens. Some skill areas that should be focused on to support moving toward a data-driven risk management program include:
• Data collection: Team members will need a solid understanding on how to pull and aggregate data from multiple types of data sources.
• Data Analysis: Team members will require the ability to create and apply both quantitive and qualitative models. They will need to have a foundational knowledge of mathematics and statistics in particular.
• Data analysis tools: Team members will be required to learn data analysis tools and languages that will help them effectively gather analysis and present results.
• Reporting and visualization: Once the data is analyzed, it needs to be put into a format that leaders within the organization can understand. One of the most important aspects of being data driven within risk management is asking a well-constructed question. Information security team members will need to understand the difference between descriptive and exploratory, inferential and predictive questions. A couple of the more difficult concepts that I found team members struggle with in creating and answering data analysis questions are:
• Correlation does not imply causation
• If X predicts Y, it does not mean that X causes Y Data analysis within complex environments is filled with unknown dependencies and imperfect information. Team members will need to be deeply aware of these concepts.
Technology Risk Register
Becoming data driven within your risk management functions will require some form of internal framework for housing and managing risk. A popular name for this approach is the difference between descriptive and exploratory, information is composed of five risk domains.
• Core Systems/Infrastructure
• Medical Devices
• Vendor - 3rd Party
These five risk domains house risks, risk analysis, risk levels, measures, thresholds and targets that provide context for leaders to effectively manage risk within each domain.
When a risk threshold is breached, the risk is analyzed both quantitatively and qualitatively, and moved onto an enterprise-level risk register. The enterprise level register is the primary focus of corporate board and executive leaders as it represents systemic risk or the potential of catastrophic loss.
Linking Security Operations and Governance
One of the keys to an effective risk management program is linking operational data with risk management data. Operational data does not directly translate well into risk management so it must be bridged and associated with identified risk exposure. A technique I like to use for bridging is a traceability matrix. This matrix associates risk and operational data analytical approaches.
Operational: Operational data analytics are focused on short-term, control-based activities. Operational data should be considered signaling or surveillance in nature. These analytics normally are driven into weekly or monthly reports that answer the following type of questions:
• How much new critical vulnerability was released?
• How many vulnerabilities are over sixty days?
• Are there any account activity outliers?
• Did we receive a targeted phishing email?
• Was an indicator of compromise triggered?
Risk Management: Risk management data analytics are focused on mid to long term programmatic functions with the purpose of proactively identifying and managing risk exposure, thresholds and targets. This risk data is normally published within governance-themed quarterly reports, and answers questions such as:
• How much aggregate exposure are we carrying within each risk domain?
• Has breach probability increased?
• Is the security control performing to expectation?
• Have we had an incident that resulted in material harm?
• Do we have any systemic risk? The matrix takes the two data analysis areas and links them together into a mutually supporting relationship that ensures that there is a continuous feedback loop.
Visualization is the end state of a data analysis exercise. Well-designed visualization will serve as the primary mechanism in helping your corporate board members and executive leaders understand the risks that need the most attention within the organization.
• Keep your visualizations simple and ensure they answer the proposed question.
• Try and use similar visualizations that your leaders are accustomed to seeing. This will allow leaders to orientate quickly.
• Do not get too fancy with your visualizations. Histograms and scatter plots still work well in most data analysis use cases.
• Always provide a short, descriptive analysis to support your visualization.
Moving toward data-driven risk management within your information security program is not something you will accomplish in a month or even a year. Pace your team and start off with small and focused data analysis use cases. Within no time, you too will be able to stop worrying and love the data.